No Discovery of Patient Records In Federal Employment Case

Posted on July 26, 2011 by Jason C. Gavejian

The U.S. District Court for the Southern District of Ohio found the confidentiality rights of patients outweighed a plaintiff’s need to take discovery of patient medical records in Kapp v. Jewish Hospital, Inc.  Plaintiff, a former nurse, brought suit in the federal court in Ohio, alleging she was terminated in violation of federal employment discrimination laws.  Specifically, plaintiff alleged defendant had alternative motives for plaintiff’s termination, including plaintiff’s age, perceived disability, and plaintiff’s request for FMLA leave.  To establish her case, plaintiff sought to ascertain through the discovery process, whether other similarly situated nurses, were treated in a like manner.  To do so, plaintiff filed a motion to compel seeking access to non-party patient records in an attempt to discern if other nurses participated in essentially the same conduct for which defendant terminated plaintiff, but were not themselves terminated.  The Magistrate Judge denied plaintiff’s motion to compel and held that Ohio's strict physician-patient privilege law applied to prevent production of the records.  The plaintiff objected to the Magistrate Judge’s Order, and those objections were heard by the District Court Judge.  The District Court Judge held that “[a]lthough state privilege law does not control…there are abundant and adequate federal principals that protect patient confidentiality.”  The Court went on to state,

the non-party patients’ right to confidentiality outweighs the plaintiff’s proffered justification for accessing the non-party patient medical records. 

The Court went on to say that the Health Insurance Portability and Accountability Act expresses a general federal policy favoring patients' right to confidentiality and HIPAA's Privacy Rule grants federal protections for patients' personal health information held by covered entities and gives patients rights regarding that information. In this case, the plaintiff had other, less-intrusive options for discovering whether the hospital treated similarly situated nurses differently, including, for example, narrowing the scope of the request by deposing other nurses who had worked with the physician in question, the hospital's human resources personnel, or other nurse supervisors.

The broad discovery sought by plaintiff in this matter is not an uncommon approach taken by the plaintiff’s bar in an effort to prove the merits of their client’s claims.  Employers, especially those in the healthcare industry, must be aware of opinions like Kapp in their efforts to limit plaintiff’s unfounded discovery requests and to protect their patients privacy.  

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

U.S. Bank Hit with Class Action Suit Alleging Data Breach Cover-Up

Posted on December 14, 2010 by Jason C. Gavejian

Paintball Punks filed a class action suit against U.S. Bank  in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment). 

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system.   Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

According to the complaint, the most likely explanation (allegedly consistent with statements obtained from two U.S Bank employees) is that the fraudulent activity resulted from a data breach at U.S. Bank. The complaint alleges that U.S. Bank could have corrected the data breach at several points before the losses were suffered by Paintball Punks and the rest of the class: when it learned of the breach it could have notified all of the affected cardholders at once and cancelled their cards. If that were the case, none of the information lost in the breach could have been used to defraud Paintball Punks.

The complaint alleges that concerns about fraud supersede that of terrorism, computer and health viruses and personal safety, and that the Banks “fear” of public repercussion motivated U.S. Bank’s decision to fail to remedy this breach.   Paintball Punks asserts that if U.S. Bank were to notify large numbers of its cardholders of a data breach in its facilities, then it would stroke the fears and concerns of credit card fraud among its cardholders, and they would associate that fear with U.S. Bank as an issuer.

This case is one of the first instances where a merchant has filed suit against a bank for a potential breach of information that did not directly implicate the merchant’s personal information, instead simply resulted in “damages” to the merchant.   Companies must be aware that the plaintiff’s bar is looking for new and creative ways to sue for damages based on data breaches. 

Tags: , , , , , , , , , , , , ,

Employees Claiming Emotional Distress Must Produce Social Network (Facebook and MySpace) Information In Discovery

Posted on June 15, 2010 by Jason C. Gavejian

All information from plaintiffs’ social networking profiles and postings that relate to their general emotions, feelings, and mental states must be produced in discovery when they allege severe emotional trauma and harassment against their employer, a federal court in Indiana has ruled. (EEOC v. Simply Storage Management LLC, S.D. Ind., No. 1:09-cv-1223, discovery order 5/11/10).

Social networking sites (SNS) such as Facebook and MySpace are fast becoming a hot topic in litigation as they may contain a wealth of potentially relevant information. In Simply Storage, the Equal Employment Opportunity Commission brought suit on behalf of plaintiffs and other similarly situated employees who claimed their employers were liable for a supervisor’s alleged sexual harassment. The EEOC requested a discovery conference because counsel for the parties disagreed as to whether the two named plaintiffs must produce the Internet social networking site profiles, including postings, pictures, blogs, messages, personal information, lists of “friends,” and of causes joined that the user has placed or created online.

The EEOC objected to production of all SNS content (and to similar deposition questioning). It argued the requests were overbroad, not relevant, unduly burdensome (because they improperly infringe on claimants’ privacy), and would harass and embarrass the claimants. Simply Storage countered that discovery of these matters was proper because certain EEOC discovery responses placed the emotional health of particular claimants at issue, beyond that typically encountered in “garden variety emotional distress claims.”

The court weighed ordering complete discovery of the plaintiffs' Facebook and MySpace account information against limiting discovery to content specifically related to the alleged injury.  It found neither alternative satisfactory. According to the court, limiting discovery to posts that specifically referenced the mental issues and harassment alleged by the plaintiffs would be too narrow, while admitting the full profiles would include likely irrelevant—and potentially inflammatory—content. The court held, “It is reasonable to expect severe emotional or mental injury to manifest itself in some SNS content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress. Further, information that evidences other stressors that could have produced the alleged emotional distress is also relevant.”

The court therefore defined the relevant scope of discovery as including “any profiles, postings, or messages (including status updates, wall comments, causes joined, groups joined, activity streams, blog entries) … that reveal, refer, or relate to any emotion, feeling, or mental state, as well as communications that reveal, refer, or relate to events that could reasonably be expected to produce a significant emotion, feeling, or mental state.”

The court rejected the EEOC’s assertion that broad discovery of this kind would violate the plaintiffs' right to privacy and held that, while potentially relevant content may be embarrassing to the plaintiffs, “this is the inevitable result of alleging these sorts of injuries.” In addressing the argument that the profiles were “private” and password protected, the court held that these protections were insufficient to circumvent discovery. “[A] person's expectation and intent that her communications be maintained as private is not a legitimate basis for shielding those communications from discovery.”

This case illustrates the importance of expanding the traditional thinking behind discoverable information to cover social media. Employers, upon advice of counsel, should consider requesting information of this nature. 

Tags: , , , , , , , , , , ,